ISO 27018 is a code of practice that focuses on protection of Personally Identifiable Information (PII) in the cloud.

Intrinsic Imaging is the only imaging core lab in the world whose quality management system is ISO 27018 certified.

Privacy Protection on The Cloud

At Intrinsic Imaging, we have the most sophisticated and comprehensive quality management system in the industry.

Intrinsic Imaging’s ISO 27018 certification for Protecting Personally Identifiable Information on the Cloud is another example of Intrinsic Imaging’s leadership in providing quality imaging core lab services and demonstrates the company’s ability to reliably and effectively protect all patient and other personal assets during clinical trials.

Certified by BSI

Certified by the British Standards Institute (BSI), the world’s largest and most respected National Standards Body, our ISO 27018 certification applies to all activities required for a medical imaging core lab to provide services on clinical trials.

This includes imaging core lab services to global pharmaceutical, biotechnology, medical device and contract research organizations in accordance with our Statement of Applicability v2.0 dated July 10, 2017.

Intrinsic Imaging’s Privacy Policy & Principles

1) Notice a) If Intrinsic Imaging collects personal information directly from individuals, Intrinsic Imaging will inform the individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

2) Choice a) If Intrinsic Imaging collects personal information directly from individuals, Intrinsic Imaging will offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

3) Accountability for Onward Transfer a) If Intrinsic Imaging acts as third party and is transferred personal information of individuals from Sponsors, Intrinsic Imaging agrees to provide at least the same level of privacy protection as is required by the relevant Principles. Further, if Intrinsic Imaging wishes to transfer personal information to a third party that is acting as an agent, it will do so after if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If Intrinsic Imaging complies with these requirements, it shall not be held responsible when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless Intrinsic Imaging knew or should have known the third party would process it in such a contrary way and Intrinsic Imaging had not taken reasonable steps to prevent or stop such processing.

4) Security a) If Intrinsic Imaging creates, maintains, uses or disseminates personal information, it will take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5) Data Integrity and Purpose Limitation a) Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. Intrinsic Imaging will not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Intrinsic Imaging will take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

6) Access a) If Intrinsic Imaging collects personal information directly from individuals, Intrinsic Imaging will provide individuals access to personal information about them that Intrinsic Imaging holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

7) Recourse, Enforcement, and Liability a) Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual’s complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

8) Limitation on Application of Principles a) Adherence by Intrinsic Imaging to these Privacy Shield Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation